Protect your API key (and your credit rating)
Google API keys. Powerful. Commonly used on websites. But able to cost you a lot of money. Learn how to protect them and your wallet.
Google API keys. Powerful. Commonly used on websites. But able to cost you a lot of money. Learn how to protect them and your wallet.
Software is eating the world. The software supply chain is very complex to understand and manage. One slip up upstream, and that code is in your image very rapidly. Continuous!
Setting the security context in Kubernetes is something you need to do. Reduce the privilege as much as you can. Defense in Depth. It’s your friend.
Fluent-Bit log routing by namespace or by cluster. Route the logs from the right input(s) to the right outputs in fluent-bit in kubernetes.
Cloud. It achieves its elastic nature using Load Balancers and Proxies. The sad side affect of these is they remove the source IP. Let’s try to bring it back.
Ever wanted to apply Kubernetes secrets without displaying or persisting the secret value? Well now you can: Unix to the rescue!
Have you ever had a Pod in a Deployment that you wish would just pull the latest container image to see what’s up? Want to run the equivalent of `touch`? Read on!
Keeping your cool during an upgrade is important. Let the scheduler do its work, you’ll reconverge to happiness.
Like scalable storage? Like resilience, redundancy? Want to run your own Kubernetes cluster with great persistent disks? Let’s talk ceph!
Kubernetes technically doesn’t support dual-stack (ipv4 and ipv6 simultaneously). What if you want to run some CI job in there that requires a localhost ::1 to bind to? Read on!
Add the sha-hash of a configmap contents to its name as a design pattern and simplify your Deployment restarts, knowing they always have the right value and don’t die on error.
HSTS exists to secure your site, to enforce your HTTPS-only policy. Why not use it and put yourself on the preload list?
Cloud logging. How much space does a typical keep-alive take if you log it?
You would be shocked that 1 byte of log could be 32+ KiB of output space. Watch the entropy!
Randomness is needed for seeding encryption, particularly at session start. In an orchestrated cloud environment, we use a lot of it, but have no user to provide. What to do?
Want to see what ‘docker’ is doing on a Kubernetes node (logs, ps, images), or re-pull an image? Don’t want to ssh there? dink!
Could cloud logging be the next NTP amplification attack for a DDoS? A small input produces a larger output, the ingredients are there…
Learn how to safely protect ‘internal’ or ‘development’ resources while having them on the public Internet. Simply.
You are working with multiple clouds. But, you keep changing context and then accidentally applying something. Ooops. If only this could be simpler.Drop these two bits in your .bashrc. Now you can simply say ‘context foo’ and be in that context with a little bit of colour in your prompt to remind you.
Declarative vs Imperative. In a ‘declarative’ world I document the desired state, and it is the job of the system to ‘make it so’. In a declarative world you don’t need to worry about ‘how’, and you don’t need to worry about things later breaking… If they change, the system puts it back.
In an imperative world, you instruct each step. Install that software, configure that port, etc.
Does declarative work always? read on
In a declarative world its all written down and checked into version control. No commands are used.
Sometimes you hit a wall and have to punt.
Here I show a simple workaround using `envsubst` for those times that declarative just doesn’t work.
Sometimes you need a debug container hanging around to check something from within your cluster. You cobble something together, make the ‘command’ be ‘sleep 3600’ or ‘tail -f /dev/null’ and call it a day. But they don’t terminate gracefully.
Let’s learn how to fix this.
Are you lazy and use ‘-k’ to curl all the time when using Let’s Encrypt staging? Or worse, use snake-oil? Or even worse, use just http for ‘test’? Let me show you how to fix that, simply.
Cloud Native means being resilient to unexpected changes, to achieving high availability through embracing failures rather than designing them out.
Google has added ‘preemptible’ nodes to their Google Cloud, available to their managed Kubernetes. These nodes are a lot cheaper, but there’s a catch: sometimes they die!
Can we make use of this? Let’s see, using our Continuous Integration runners of Gitlab.
Cloud Native implies a continuum. A declarative world that has no special event that occurs when it is started or finished.
Non cloud-native applications often have ‘start’ or ‘upgrade’ tasks that need performing. Things that need to be done ‘one’ or ‘first’ or at some lifecycle stage.
How can we integrate these two worlds?
Let’s Encrypt. It makes it simple and free to have decent TLS security.
But the staging environment intermediate cert is (rightly) not trusted. How can you safely use this? Find out!